US10496819B2 - System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans - Google Patents

System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans Download PDF

Info

Publication number
US10496819B2
US10496819B2 US15/432,068 US201715432068A US10496819B2 US 10496819 B2 US10496819 B2 US 10496819B2 US 201715432068 A US201715432068 A US 201715432068A US 10496819 B2 US10496819 B2 US 10496819B2
Authority
US
United States
Prior art keywords
antivirus scan
virtual machine
computing resources
virtual machines
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/432,068
Other versions
US20170337377A1 (en
Inventor
Denis O. Vlaznev
Nikita M. Voitov
Maxim A. Vasilyev
Maxim E. Naumov
Evgeny S. Semenov
Alexander Y. Onishchenko
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kaspersky Lab AO
Original Assignee
Kaspersky Lab AO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kaspersky Lab AO filed Critical Kaspersky Lab AO
Assigned to AO Kaspersky Lab reassignment AO Kaspersky Lab ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NAUMOV, MAXIM E, ONISHCHENKO, ALEXANDER Y, SEMENOV, EVGENY S, VASILYEV, MAXIM A, VLAZNEV, DENIS O, VOITOV, NIKITA M
Priority to JP2017093979A priority Critical patent/JP6469165B2/en
Priority to EP17172049.3A priority patent/EP3246842B1/en
Priority to CN201710363585.7A priority patent/CN107403094B/en
Publication of US20170337377A1 publication Critical patent/US20170337377A1/en
Application granted granted Critical
Publication of US10496819B2 publication Critical patent/US10496819B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1479Generic software techniques for error detection or fault masking
    • G06F11/1482Generic software techniques for error detection or fault masking by means of middleware or OS functionality
    • G06F11/1484Generic software techniques for error detection or fault masking by means of middleware or OS functionality involving virtual machines
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]

Definitions

  • the invention pertains generally to the field of cybersecurity and, more particularly, to systems and methods of detecting malicious files in a distributed system of virtual machines.
  • Antivirus programs may be used to defeat malicious programs.
  • An effective solution may require first and foremost a timely detection of files containing the code of malicious programs, for which the antivirus programs may employ various technologies, such as signature, heuristic and proactive analysis, white and black lists, and so forth.
  • Each of the above-mentioned technologies may have its own effectiveness in detecting malicious files, based on its potential ability to detect certain malicious files and on the requirements on the computing resources of the computer system on which the technology running.
  • the volumes of data (including files) being processed by computer systems are so vast that their antivirus scanning by antivirus programs may take a long time and demand substantial computing resources, which is especially critical for the users of personal computers. Therefore, in order to increase the effectiveness of detection of malicious files, methods of increasing the computing resources of the computer systems on which the search for malicious files takes place may be used.
  • distributed systems may be used to search for malicious files. Such systems may comprise several servers, and on each server only a portion of the files needing to be scanned is scanned.
  • the known operating methods may be ineffective when there is a heavy workload on the computer systems performing the antivirus scanning of files, or when some of the computer systems taking part in the antivirus scanning of files are malfunctioning.
  • a method for detecting malicious files in a distributed network having a plurality of virtual machines comprising: determining and obtaining, by a virtual machine of the plurality of virtual machines, at least one file stored on the virtual machine for performing an antivirus scan; collecting, by the virtual machine, data relating to characteristics of computing resources of the plurality of virtual machines and one or more parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines and an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data; determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the
  • selecting the at least one virtual machine comprises determining the most effective start time for performing the antivirus scan by fulfilling at least on one of the following criteria: the antivirus scan taking the least time; the antivirus scan taking less time than scheduled; the antivirus scan that will be completed no later than a scheduled time; a minimum number of computing resources of the virtual machine is needed to perform the antivirus scan; or fewer computing resources of the virtual machine than scheduled are needed to perform the antivirus scan.
  • selecting at least one virtual machine comprises: detecting that the at least one virtual machine is able to at least perform the antivirus scan of the at least one file using computing resources available in a scheduled time slot; detecting the at least one virtual machine with the lowest calculated workload level among the plurality of virtual machines in the distributed network; detecting the at least one virtual machine with a calculated workload level lower than an established threshold value; or detecting no less than two virtual machines of the plurality of virtual machines whose combined calculated workload level is less than the combined workload level of the remaining virtual machines of the plurality of virtual machines.
  • collecting the data relating to the characteristics of computing resources of the plurality of virtual machines comprises at least one of: detecting a time period between obtaining the at least one file and determining whether the at least one file is malicious; detecting a number of files transmitted to the virtual machine for the antivirus scan; and determining a computing capacity of each of the plurality of the virtual machines.
  • the one or more parameters relating to the antivirus scan comprise at least one of: methods for detecting malicious files used by the plurality of virtual machines, the methods comprising at least one of: a signature analysis, a heuristic analysis, an analysis of emulation results, and an analysis of black and white lists; and the characteristics of computing resources of the plurality of virtual machines used for performing the antivirus scan.
  • the methods for detecting malicious files are determined based at least on the maximum time during which the antivirus scan takes place, and an emulation depth of files being scanned.
  • the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine.
  • the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of eachvirtual machine for performing the antivirus scan.
  • the approximation time function of effectiveness of the antivirus scan is determined based on parameters defining a type and size of the at least one file.
  • a system for detecting malicious files in a distributed network having a plurality of virtual machines comprising: a virtual machine of the plurality of virtual machines having at least one thin client operating thereon, the virtual machine being configured to: determine and obtain at least one file stored on the virtual machine for performing an antivirus scan; collect data relating to characteristics of computing resources of the plurality of virtual machines and one or more parameters relating to the antivirus scan; determine an approximation time function of the characteristics of the computing resources of the plurality of virtual machines and an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data; determine an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters; and beased at least on the approximation time function of effectiveness of the antivirus scan, select at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least
  • a non-transitory computer readable medium storing thereon computer executable instructions for detecting malicious files in a distributed network having a plurality of virtual machines, including instructions for: determining and obtaining, by a virtual machine of the plurality of virtual machines, at least one file stored on the virtual machine for performing an antivirus scan; collecting, by the virtual machine, data relating to characteristics of computing resources of the plurality of virtual machines and one or more parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines and an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data; determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of
  • FIG. 1 illustrates an exemplary system for detecting malicious files on a virtual machine according to aspects of the invention.
  • FIG. 2 illustrates an exemplary method for detecting malicious files on a virtual machine according to aspects to the invention.
  • FIG. 3 illustrates the approximation time function of the characteristics of computing resources of protecting virtual machines according to aspects of the invention.
  • FIG. 4 illustrates the approximation time functions of the characteristics of computing resources of several protecting virtual machines according to aspects of the invention.
  • FIG. 5 illustrates a computer system, a personal computer or server, on which the disclosed systems and method can be implemented.
  • Example aspects are described herein in the context of a system, method and computer program product for detecting malicious files in a distributed network having a plurality of virtual machines.
  • Those of ordinary skill in the art will realize that the following description is illustrative only and is not intended to be in any way limiting. Other aspects will readily suggest themselves to those skilled in the art having the benefit of this disclosure.
  • a protected virtual machine may include a virtual machine working under the control of a hypervisor, with an installed guest operating system, in the computational environment of which a thin client is executing.
  • a protecting virtual machine may be a virtual machine working under the control of a hypervisor, with an installed operating system, in the environment of which a protection server is working.
  • a thin client may include software configured to protect a protected virtual machine against malicious programs and computer threats and to transmit files for the antivirus scan in the network to the protecting virtual machines.
  • a protection server may include software configured to perform an antivirus scan of files received from protected virtual machines.
  • FIG. 1 illustrates an exemplary system for detection of malicious files on a virtual machine according to aspects of the invention.
  • the structural diagram of the system for detection of malicious files on a virtual machine may include a protected virtual machine 100 , a storage of files requiring an antivirus scan 101 , a thin client module 110 , a collecting module 111 , a dynamic computing module 112 , a selection module 113 , a task forming module 114 , a protecting virtual machine 120 , and a scanning module 121 .
  • the system for detection of malicious files on a virtual machine may contain a protected virtual machine 100 , working under the control of a hypervisor, with an installed guest operating system, in the environment of which a thin client 110 is working, and protecting virtual machines 120 , working under the control of a hypervisor and with an installed operating system, in the environment of each of which a scanning module 121 is working.
  • the protecting virtual machine 120 may be configured to carry out an antivirus scan on files received from the thin client 110 , and it may contain the scanning module 121 .
  • the scanning module 121 may be configured to:
  • the protected virtual machine 100 may be configured to detect the files requiring an antivirus scan in the storage of files 101 and transfer these to the thin client module 110 for performing an antivirus scan.
  • the thin client module 110 may be configured to protect the protected virtual machine 100 against malicious files and it may include a collecting module 111 , a dynamic computing module 112 , a selection module 113 , and a task forming module 114 .
  • the collecting module 111 may be configured to:
  • the characteristics of the computing resources of the protecting virtual machine 120 may include:
  • the collected characteristics of the computing resources of the protecting virtual machine 120 on which the scanning module 121 is running may be generalized to form a single characteristic of the computing resources of the protecting virtual machine 120 , which may include a set of numbers: ⁇ ,N, ⁇ M,B ⁇ for each established point in time t i of transmission of the collected data to the dynamic computing module 112 ,
  • the described set of numbers may be sufficient to calculate a multidimensional approximation function (one of whose coefficients is time) may define the behavior of the scanning module 121 .
  • the parameters of the antivirus scan being performed by the scanning module 121 may include:
  • the parameters which may define the methods of detection of malicious files may include:
  • the computing capacity of the protecting virtual machine 120 on which the scanning module 121 is running may include:
  • the parameters used by the scanning module 121 to perform the antivirus scan of the files may affect the accuracy of the verdict pronounced by the scanning module 121 , e.g., the chance of not detecting a malicious file among malicious files or, conversely, the chance of detecting a malicious file among legitimate files when performing the antivirus scan.
  • the scanning module 121 of the protecting virtual machine #1 120 . 1 may perform a scan for each file received from the task forming module 114 with the aid of signature analysis in no more than 0.01 s, the scanning module 121 of the protecting virtual machine #2 120 .
  • the scanning module 121 of the protecting virtual machine #3 120 . 3 may use heuristic analysis with a depth of emulation of the files scanned equal to 1000 in no more than 0.04 s.
  • the most effective scanning means i.e., the scanning means using the largest volume of computing resources of the protecting virtual machine may include using the scanning module 121 running on the protecting virtual machine #3 120 . 3 , even though the fastest one may include using the scanning module 121 running on the protecting virtual machine #1 120 . 1 .
  • the dynamic computing module 112 may be configured to:
  • the workload level of the scanning module 121 of the protecting virtual machines 120 may act as the effectiveness of the antivirus scan on the protecting virtual machine 120 .
  • Regression analysis methods may be used to calculate the parameters in defining the approximation time functions.
  • the parameters a 1 , a 2 may be calculated as:
  • the selection module 113 may be configured to:
  • the selected scanning module 121 may include:
  • the workload level of the scanning module 121 may be determined and calculated as follows: there are 3 files of size 10 MB, 20 MB and 50 MB, respectively, for which it is necessary to perform an antivirus scan; the scanning module 121 has presented parameters describing the antivirus scan as a signature analysis taking at most 0.01 s, while the characteristic of the protecting virtual machine 120 on which the scanning module 121 is running may have an available RAM volume of 60 MB. Signature analysis means that the file will be placed in the RAM as is, i.e., it will take up the same volume as its size. In order for the workload of the scanning module 121 to be at maximum, it needs to transmit the aforementioned 3 files in two stages: in the first stage, file #1 and file #3, in the second stage, file #2.
  • the antivirus scan of all three files will take 0.02 s
  • the workload level of the scanning module 121 will be 1 and 0.3(3), respectively, and the resulting workload for the mentioned three files will be 0.6(6), which is the most optimal result, given that during the scanning of file #2 the scanning module 121 will have sufficient computing resources to process new files.
  • the task forming module 114 may be configured to:
  • the antivirus scan of the file may be performed at once or after a certain time.
  • the scanning module 121 is already performing an antivirus scan of files received from the task forming module 113 prior to this, the antivirus scan of the new file may not be done, and the file may be stored (for example, on the hard drive of the protecting virtual machine 120 ) until the antivirus scan being performed is finished, after which the file may be loaded from the hard drive into memory, and the scanning module 121 may perform the antivirus scan.
  • two time-consuming but non-mandatory operations if the work is organized properly
  • the writing of the file to disk and the reading of the file from disk may be performed more quickly.
  • detecting of malicious files of a distribution of 1000 files, of total volume 1 GB, by a thin client 110 of a protected virtual machine 100 among three protecting virtual machines 120 ( 120 . 1 , 120 . 2 and 120 . 3 ) may be performned.
  • Scanning module 121 for performing an antivirus scan may employ signature analysis, heuristic analysis, and an analysis according to white and black lists, respectively.
  • Each type of the aforementioned analysis methods may have its own effectiveness (0.6, 0.95 and 0.1, respectively) and may require its own computing resources (200 MB of free RAM, CPU with operating speed not less than 100 MFLOPS plus 50 MB of free RAM and CPU with operating speed not less than 10 MFLOPS plus 10 MB of free RAM, respectively), which means that on average each scanning module 121 may process the file in 0.01, 0.1 and 0.002 s, respectively.
  • the files may be distributed uniformly by the task forming module 114 in accordance with how fast the given protecting virtual machine 120 may perform the antivirus scan.
  • the dynamic computing module 112 may accumulate statistics on the characteristics of the computing resources and the parameters of the antivirus scan of all the protecting virtual machines 120 at different points in time, which makes it possible to calculate the approximation functions of the characteristics and the parameters.
  • the parameters a 1 and a 2 may be calculated by the method of least squares, which makes it possible to predict how much available RAM the protecting virtual machine #1 120 . 1 may have at the time t i of sending of the file for performance of the antivirus scan to the scanning module 121 of the protecting virtual machine #1 120 . 1 . Knowing how much RAM may be available at any given point in time, the task forming module 114 may estimate which files maybe sent to the scanning module 121 in order for those files to be processed in a minimum time.
  • Similar steps are taken for the protecting virtual machine #2 120 . 2 and #3 120 . 3 , where besides the RAM the CPU operating speed may also be used.
  • the parameters a 1 , a 2 , a 3 , a 4 may be calculated.
  • the CPU load of the protecting virtual machine 120 at the time t i of sending the file for performance of the antivirus scan to the scanning module 121 of the protecting virtual machine #2 120 . 2 (or #3 120 . 3 ) is predicted. In this way, one achieves the effect that the CPU of the protecting virtual machine 120 has a maximum effective load.
  • FIG. 2 illustrates an exemplary method for detecting malicious files on a virtual machine according to aspects of the invention.
  • the structural diagram of the method of detection of malicious files on a virtual machine may comprise the step 211 , in which files may be determined for performance of the antivirus scan, step 212 , in which the characteristics of the computing resources may be collected, step 213 , in which the approximation time function may be determined for the characteristics of the computing resources, step 214 , in which the parameters of the antivirus scan may be collected, step 215 , in which the approximation function may be determined for the parameters of the antivirus scan in dependence on the characteristics of the computing resources, step 216 , in which the approximation time function may be determined for the effectiveness of the antivirus scan, step 217 , in which the scanning module 121 may be selected, step 218 in which the most effective start time may be determined for performing the antivirus scan, step 221 , in which the antivirus scan may be performed, and step 222 , in which a verdict may be pronounced as to the detection of a malicious
  • step 211 the files stored in the storage of files 101 of the protected virtual machine 100 on which the aforementioned thin client 110 is running may be determined for the performance of the antivirus scan.
  • step 212 the characteristics of the computing resources of the protecting virtual machine 120 on which the scanning module 121 is running may be determined and collected.
  • step 212 may be performed at the same time as step 214 .
  • the characteristics of the computing resources of the protecting virtual machine 120 may include:
  • the computing capacity of the protecting virtual machine 120 on which the scanning module 121 is running may include:
  • Regression analysis methods may be used to calculate the parameters describing the approximation time functions.
  • step 214 the parameters of the antivirus scan of the scanning module 121 which may be installed on the corresponding protecting virtual machines 120 may be determined, these parameters dictating the rules of use by the scanning module 121 of the computing resources of the corresponding protecting virtual machines 120 .
  • step 214 may be performed at the same time as step 212 .
  • the parameters of the antivirus scan being performed by the scanning module 121 may include:
  • the parameters which may define the methods of detection of malicious files may include:
  • the workload level of the scanning module 121 of the protecting virtual machines 120 may act as the effectiveness of the antivirus scan on the protecting virtual machine 120 .
  • the scanning module 121 may be configured to select a suitable scanning module in a distributed network having a plurality of protected and protecting virtual machines on the basis of the effectiveness function of the antivirus scan obtained in step 216 .
  • the selected scanning module 121 may be configured to determine:
  • the start time for performing the antivirus scan may be determined for the scanning module 121 selected in step 217 , so that at least one of the following criteria may be fulfilled:
  • the antivirus scan may be performed on the files determined in step 211 .
  • a verdict may be pronounced as to the detection of malicious files.
  • FIG. 3 illustrates the approximation time function of the characteristics of computing resources of protecting virtual machines according to aspects of the invention.
  • the graph of the approximation time function of the characteristics of the computing resources of the protecting virtual machines 301 may contain the time characteristics of the computing resources of the protecting virtual machine 302 and the plotted approximation function 303 .
  • the approximation time function 301 of the characteristics of the computing resources of the protecting virtual machine 120 may be determined by the dynamic computing module 112 , which works as part of the thin client 110 on the protected virtual machine 100 , on the basis of data characterizing the protecting virtual machine 120 , obtained from the collecting module 111 , which works as part of the aforementioned thin client 110 .
  • the time characteristics of the computing resources of the protecting virtual machine 302 may include the workload level of the CPU of the protecting virtual machine (expressed in percent, from 0% to 100%) in dependence on time (expressed in seconds, from 0 to 50).
  • the characteristics of the computing resources of the protecting virtual machine 302 are available for 49 timestamps ⁇ X ⁇ t i .
  • the problem is to construct an approximation function 303 with which one may calculate the presumptive workload of the protecting virtual machine at time t 50 .
  • one may employ one of several methods of regression analysis, such as the method of least squares.
  • the system of equations may be solved to calculate the coefficients of the equation F CHAR (X)a 1 . . . a 6 , so that the condition may be fulfilled: ⁇ t i ( X t i ⁇ F CHAR ( X )) 2 ⁇ min X ( a 1 . . . a 6 ).
  • FIG. 4 illustrates the approximation time functions of the characteristics of computing resources of several protecting virtual machines according to apsects of the invention.
  • the graph of the approximation time functions of the characteristics of the computing resources of several protecting virtual machines 400 may contain the time characteristics of the computing resources of the protecting virtual machines 401 , 411 and 421 , the approximation functions 402 , 412 and 422 respectively plotted on the basis of an analysis of the time characteristics of the computing resources of the protecting virtual machines, and the resulting combined approximation function 430 .
  • the approximation time functions 402 , 412 and 422 of the characteristics of the computing resources of the protecting virtual machines 120 . 1 , 120 . 2 and 120 . 3 respectively may be determined by the dynamic computing module 112 , operating as part of the thin client 110 on the protected virtual machine 100 on the basis of the data characterizing the protecting virtual machines 120 . 1 , 120 . 2 and 120 . 3 and obtained from the collecting module 111 , operating as part of the aforementioned thin client 110 .
  • the approximation time functions of the characteristics of the computing resources of the protecting virtual machines 401 , 411 and 421 may be obtained by the methods discussed in the description of FIG. 3 .
  • the time characteristics of the computing resources of the protecting virtual machines 401 , 411 and 421 may include the workload level of the CPU of each of the protecting virtual machine (expressed in percent, from 0% to 100%) in dependence on time (expressed in seconds, from 0 to 25).
  • the protection server 120 of one of the protecting virtual machines For the selection of the time of sending the file for scanning to the protection server 120 of one of the protecting virtual machines, it may be necessary to determine when the combined load of the CPUs of all the protecting virtual machines may be at minimum. Knowing the time of minimum combined load of the CPUs of the protecting virtual machines, the protecting virtual machine with the minimum CPU load out of all available protecting virtual machines may be selected, and its protection server 120 may be sent the file for performance of an antivirus scan.
  • FIG. 5 illustrates an example computer system (which may be a personal computer or a server) on which the disclosed systems and methods can be implemented according to aspects of the invention.
  • the computer system 20 (which may be a personal computer or a server) includes a central processing unit 21 , a system memory 22 and a system bus 23 connecting the various system components, including the memory associated with the central processing unit 21 .
  • the system bus 23 may comprise a bus memory or bus memory controller, a peripheral bus, and a local bus that is able to interact with any other bus architecture.
  • the system memory may include permanent memory (ROM) 24 and random-access memory (RAM) 25 .
  • the basic input/output system (BIOS) 26 may store the basic procedures for transfer of information between elements of the computer system 20 , such as those at the time of loading the operating system with the use of the ROM 24 .
  • the computer system 20 may also comprise a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing on removable magnetic disks 29 , and an optical drive 30 for reading and writing removable optical disks 31 , such as CD-ROM, DVD-ROM and other optical media.
  • the hard disk 27 , the magnetic disk drive 28 , and the optical drive 30 are connected to the system bus 23 across the hard disk interface 32 , the magnetic disk interface 33 and the optical drive interface 34 , respectively.
  • the drives and the corresponding computer information media are power-independent modules for storage of computer instructions, data structures, program modules and other data of the computer system 20 .
  • An exemplary aspect comprises a system that uses a hard disk 27 , a removable magnetic disk 29 and a removable optical disk 31 connected to the system bus 23 via the controller 55 .
  • a hard disk 27 a removable magnetic disk 29 and a removable optical disk 31 connected to the system bus 23 via the controller 55 .
  • any type of media 56 that is able to store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random-access memory (RAM) and so on) may also be utilized.
  • the computer system 20 has a file system 36 , in which the operating system 35 , may be stored, as well as additional program applications 37 , other program modules 38 , and program data 39 .
  • a user of the computer system 20 may enter commands and information using keyboard 40 , mouse 42 , or any other input device known to those of ordinary skill in the art, such as, but not limited to, a microphone, joystick, game controller, scanner, etc..
  • Such input devices typically plug into the computer system 20 through a serial port 46 , which in turn is connected to the system bus, but those of ordinary skill in the art will appreciate that input devices may be also be connected in other ways, such as, without limitation, via a parallel port, a game port, or a universal serial bus (USB).
  • USB universal serial bus
  • a monitor 47 or other type of display device may also be connected to the system bus 23 across an interface, such as a video adapter 48 .
  • the personal computer may be equipped with other peripheral output devices (not shown), such as loudspeakers, a printer, etc.
  • Computer system 20 may operate in a network environment, using a network connection to one or more remote computers 49 .
  • the remote computer (or computers) 49 may be local computer workstations or servers comprising most or all of the aforementioned elements in describing the nature of a computer system 20 .
  • Other devices may also be present in the computer network, such as, but not limited to, routers, network stations, peer devices or other network nodes.
  • Network connections can form a local-area computer network (LAN) 50 and a wide-area computer network (WAN). Such networks are used in corporate computer networks and internal company networks, and they generally have access to the Internet.
  • LAN or WAN networks the personal computer 20 is connected to the local-area network 50 across a network adapter or network interface 51 .
  • the computer system 20 may employ a modem 54 or other modules well known to those of ordinary skill in the art that enable communications with a wide-area computer network such as the Internet.
  • the modem 54 which may be an internal or external device, may be connected to the system bus 23 by a serial port 46 . It will be appreciated by those of ordinary skill in the art that said network connections are non-limiting examples of numerous well-understood ways of establishing a connection by one computer to another using communication modules.
  • the systems and methods described herein may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the methods may be stored as one or more instructions or code on a non-transitory computer-readable medium.
  • Computer-readable medium includes data storage.
  • such computer-readable medium can comprise RAM, ROM, EEPROM, CD-ROM, Flash memory or other types of electric, magnetic, or optical storage medium, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a processor of a general purpose computer.
  • module refers to a real-world device, component, or arrangement of components implemented using hardware, such as by an application specific integrated circuit (ASIC) or field-programmable gate array (FPGA), for example, or as a combination of hardware and software, such as by a microprocessor system and a set of instructions to implement the module's functionality, which (while being executed) transform the microprocessor system into a special-purpose device.
  • a module may also be implemented as a combination of the two, with certain functions facilitated by hardware alone, and other functions facilitated by a combination of hardware and software.
  • a module may be executed on the processor of a general purpose computer (such as the one described in greater detail in FIG. 4 , supra). Accordingly, each module may be realized in a variety of suitable configurations, and should not be limited to any particular implementation exemplified herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)

Abstract

A method and system is provided for detecting malicious files in a distributed network having a plurality of virtual machines. An example method includes: determining and obtaining, by a virtual machine, at least one file for performing an antivirus scan; collecting data relating to characteristics of computing resources of each virtual machine and parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources and an approximation function of the one or more parameters for determining an approximation time function of effectiveness of the antivirus scan; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting one virtual machine to perform the antivirus scan in order to determine whether the at least one file is malicious.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This application claims benefit of priority under 35 U.S.C. 119(a)-(d) to a Russian Patent Application No. 2016119518 filed May 20, 2016, which is incorporated by reference herein.
FIELD OF TECHNOLOGY
The invention pertains generally to the field of cybersecurity and, more particularly, to systems and methods of detecting malicious files in a distributed system of virtual machines.
BACKGROUND
The rapid development in the past decade of computer technologies, including cloud technologies, and also the widespread use of diverse computing devices (personal computers, notebooks, tablets, smartphones, etc.), has served as a powerful stimulus for the use of these devices in every possible sphere of human activity and for a tremendous number of tasks (from Internet surfing and communication via Internet to bank transfers and electronic document traffic). In parallel with the growth in numbers of computing devices, the volumes of software running on these devices have also grown at a rapid pace, including malicious software.
At present, a huge number of malicious program varieties exist. Some of them may steal personal and confidential data from the devices of users (such as logins and passwords, bank details, electronic documents). Others may form so-called botnets from the devices of users to guess passwords using the brute force method or launch attacks such as a denial of service (Distributed Denial of Service, DDOS) against other computers or computer networks. Still others may foist paid content onto users through aggressive advertising, paid subscriptions, sending of text messages to paid phone numbers, and so forth.
Antivirus programs may be used to defeat malicious programs. An effective solution may require first and foremost a timely detection of files containing the code of malicious programs, for which the antivirus programs may employ various technologies, such as signature, heuristic and proactive analysis, white and black lists, and so forth. Each of the above-mentioned technologies may have its own effectiveness in detecting malicious files, based on its potential ability to detect certain malicious files and on the requirements on the computing resources of the computer system on which the technology running.
At present, the volumes of data (including files) being processed by computer systems are so vast that their antivirus scanning by antivirus programs may take a long time and demand substantial computing resources, which is especially critical for the users of personal computers. Therefore, in order to increase the effectiveness of detection of malicious files, methods of increasing the computing resources of the computer systems on which the search for malicious files takes place may be used. For example, distributed systems may be used to search for malicious files. Such systems may comprise several servers, and on each server only a portion of the files needing to be scanned is scanned.
The known operating methods may be ineffective when there is a heavy workload on the computer systems performing the antivirus scanning of files, or when some of the computer systems taking part in the antivirus scanning of files are malfunctioning.
SUMMARY
Disclosed are systems and methods of detecting malicious files in a distributed system of virtual machines. In one exemplary aspect, a method for detecting malicious files in a distributed network having a plurality of virtual machines, comprising: determining and obtaining, by a virtual machine of the plurality of virtual machines, at least one file stored on the virtual machine for performing an antivirus scan; collecting, by the virtual machine, data relating to characteristics of computing resources of the plurality of virtual machines and one or more parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines and an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data; determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious.
In another exemplary aspect, selecting the at least one virtual machine comprises determining the most effective start time for performing the antivirus scan by fulfilling at least on one of the following criteria: the antivirus scan taking the least time; the antivirus scan taking less time than scheduled; the antivirus scan that will be completed no later than a scheduled time; a minimum number of computing resources of the virtual machine is needed to perform the antivirus scan; or fewer computing resources of the virtual machine than scheduled are needed to perform the antivirus scan.
In yet another exemplary aspect, selecting at least one virtual machine comprises: detecting that the at least one virtual machine is able to at least perform the antivirus scan of the at least one file using computing resources available in a scheduled time slot; detecting the at least one virtual machine with the lowest calculated workload level among the plurality of virtual machines in the distributed network; detecting the at least one virtual machine with a calculated workload level lower than an established threshold value; or detecting no less than two virtual machines of the plurality of virtual machines whose combined calculated workload level is less than the combined workload level of the remaining virtual machines of the plurality of virtual machines.
In another exemplary aspect, collecting the data relating to the characteristics of computing resources of the plurality of virtual machines comprises at least one of: detecting a time period between obtaining the at least one file and determining whether the at least one file is malicious; detecting a number of files transmitted to the virtual machine for the antivirus scan; and determining a computing capacity of each of the plurality of the virtual machines.
In another exemplary aspect, the one or more parameters relating to the antivirus scan comprise at least one of: methods for detecting malicious files used by the plurality of virtual machines, the methods comprising at least one of: a signature analysis, a heuristic analysis, an analysis of emulation results, and an analysis of black and white lists; and the characteristics of computing resources of the plurality of virtual machines used for performing the antivirus scan. The methods for detecting malicious files are determined based at least on the maximum time during which the antivirus scan takes place, and an emulation depth of files being scanned.
In yet another exemplary aspect, the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine.
In yet another exemplary aspect, the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of eachvirtual machine for performing the antivirus scan.
In another example aspect, the approximation time function of effectiveness of the antivirus scan is determined based on parameters defining a type and size of the at least one file.
In accordance with exemplary aspects of the invention, a system for detecting malicious files in a distributed network having a plurality of virtual machines, the system comprising: a virtual machine of the plurality of virtual machines having at least one thin client operating thereon, the virtual machine being configured to: determine and obtain at least one file stored on the virtual machine for performing an antivirus scan; collect data relating to characteristics of computing resources of the plurality of virtual machines and one or more parameters relating to the antivirus scan; determine an approximation time function of the characteristics of the computing resources of the plurality of virtual machines and an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data; determine an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters; and beased at least on the approximation time function of effectiveness of the antivirus scan, select at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious.
Additionaly, in accordance with other exemplary aspect of the invention, a non-transitory computer readable medium storing thereon computer executable instructions for detecting malicious files in a distributed network having a plurality of virtual machines, including instructions for: determining and obtaining, by a virtual machine of the plurality of virtual machines, at least one file stored on the virtual machine for performing an antivirus scan; collecting, by the virtual machine, data relating to characteristics of computing resources of the plurality of virtual machines and one or more parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines and an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data; determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious.
BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated into and constitute a part of this specification, illustrate one or more example aspects of the present disclosure and, together with the detailed description, serve to explain their principles and implementations.
FIG. 1 illustrates an exemplary system for detecting malicious files on a virtual machine according to aspects of the invention.
FIG. 2 illustrates an exemplary method for detecting malicious files on a virtual machine according to aspects to the invention.
FIG. 3 illustrates the approximation time function of the characteristics of computing resources of protecting virtual machines according to aspects of the invention.
FIG. 4 illustrates the approximation time functions of the characteristics of computing resources of several protecting virtual machines according to aspects of the invention.
FIG. 5 illustrates a computer system, a personal computer or server, on which the disclosed systems and method can be implemented.
 DETAILED DESCRIPTION
Example aspects are described herein in the context of a system, method and computer program product for detecting malicious files in a distributed network having a plurality of virtual machines. Those of ordinary skill in the art will realize that the following description is illustrative only and is not intended to be in any way limiting. Other aspects will readily suggest themselves to those skilled in the art having the benefit of this disclosure. Reference will now be made in detail to implementations of the example aspects as illustrated in the accompanying drawings. The same reference indicators will be used to the extent possible throughout the drawings and the following description to refer to the same or like items.
The following definitions will be used in describing various aspects of the invention:
A protected virtual machine may include a virtual machine working under the control of a hypervisor, with an installed guest operating system, in the computational environment of which a thin client is executing.
A protecting virtual machine may be a virtual machine working under the control of a hypervisor, with an installed operating system, in the environment of which a protection server is working.
A thin client may include software configured to protect a protected virtual machine against malicious programs and computer threats and to transmit files for the antivirus scan in the network to the protecting virtual machines.
A protection server may include software configured to perform an antivirus scan of files received from protected virtual machines.
FIG. 1 illustrates an exemplary system for detection of malicious files on a virtual machine according to aspects of the invention. The structural diagram of the system for detection of malicious files on a virtual machine may include a protected virtual machine 100, a storage of files requiring an antivirus scan 101, a thin client module 110, a collecting module 111, a dynamic computing module 112, a selection module 113, a task forming module 114, a protecting virtual machine 120, and a scanning module 121.
The system for detection of malicious files on a virtual machine may contain a protected virtual machine 100, working under the control of a hypervisor, with an installed guest operating system, in the environment of which a thin client 110 is working, and protecting virtual machines 120, working under the control of a hypervisor and with an installed operating system, in the environment of each of which a scanning module 121 is working.
The protecting virtual machine 120 may be configured to carry out an antivirus scan on files received from the thin client 110, and it may contain the scanning module 121.
The scanning module 121 may be configured to:
    • carry out an antivirus scan on files received from the task forming module 114; and
    • pronounce a verdict on the detection of malicious files.
The protected virtual machine 100 may be configured to detect the files requiring an antivirus scan in the storage of files 101 and transfer these to the thin client module 110 for performing an antivirus scan.
The thin client module 110 may be configured to protect the protected virtual machine 100 against malicious files and it may include a collecting module 111, a dynamic computing module 112, a selection module 113, and a task forming module 114.
The collecting module 111 may be configured to:
    • collect the characteristics of the computing resources of the protecting virtual machines 120;
    • collect the parameters of the antivirus scan of the scanning module 121, where the scanning module 121 may be installed on the corresponding protecting virtual machines 120, the parameters dictating the rules for use by the scanning module 121 of the computing resources of the corresponding protecting virtual machines 120, wherein the mentioned rules of use dictate which computing resources of the protecting virtual machine 120 may be provided to the scanning module 121 to carry out the particular actions comprising the antivirus scan;
    • transmit the collected characteristics of the computing resources and the parameters of the antivirus scan to the dynamic computing module 112.
The characteristics of the computing resources of the protecting virtual machine 120 may include:
    • the time passed between the receiving of the files from the task forming module 114 to the pronouncing of the verdict by the scanning module 121;
    • the number of files transmitted to the scanning module 121 for the antivirus scan;
    • the computing capacity of the protecting virtual machine 120 on which the scanning module 121 is running.
For example, in accordance with one aspect of the invention, the collected characteristics of the computing resources of the protecting virtual machine 120 on which the scanning module 121 is running may be generalized to form a single characteristic of the computing resources of the protecting virtual machine 120, which may include a set of numbers:
{Δ,N,{M,B}}
Figure US10496819-20191203-P00001

for each established point in time ti of transmission of the collected data to the dynamic computing module 112,
    • where:
      • Δ-is the time passed between the reception of the files by the task forming module 114 from the storage of files 101 to the pronouncing of the verdict by the scanning module 121;
      • N-is the number of files transmitted to the scanning module 121 to carry out the antivirus scan at the point in time ti;
      • M-is the volume of free memory of the protecting virtual machine 120 at the point in time ti;
      • B-is the CPU load of the protecting virtual machine 120 at the point in time ti.
The described set of numbers may be sufficient to calculate a multidimensional approximation function (one of whose coefficients is time) may define the behavior of the scanning module 121.
The parameters of the antivirus scan being performed by the scanning module 121 may include:
    • the methods of detection of malicious files that are used by the scanning module 121 to perform the antivirus scan, where the methods of detection of malicious files may include:
      • signature analysis,
      • heuristic analysis,
      • analysis of emulation results,
      • analysis of black and white lists;
    • the characteristics of the computing resources, being used by the scanning module 121 to perform the antivirus scan.
The parameters which may define the methods of detection of malicious files may include:
    • the maximum time during which the antivirus scan takes place;
    • the depth of emulation of the files being scanned.
The computing capacity of the protecting virtual machine 120 on which the scanning module 121 is running may include:
    • the RAM of the protecting virtual machine 120 in which the scanning module 121 is running;
    • the CPU performance of the protecting virtual machine 120.
The parameters used by the scanning module 121 to perform the antivirus scan of the files may affect the accuracy of the verdict pronounced by the scanning module 121, e.g., the chance of not detecting a malicious file among malicious files or, conversely, the chance of detecting a malicious file among legitimate files when performing the antivirus scan. For example, the scanning module 121 of the protecting virtual machine #1 120.1 may perform a scan for each file received from the task forming module 114 with the aid of signature analysis in no more than 0.01 s, the scanning module 121 of the protecting virtual machine #2 120.2 may use heuristic analysis with a depth of emulation of the files scanned (maximum number of nested calls) equal to 10 in no more than 0.1 s, and the scanning module 121 of the protecting virtual machine #3 120.3 may use heuristic analysis with a depth of emulation of the files scanned equal to 1000 in no more than 0.04 s. As a result, it turns out that the most effective scanning means, i.e., the scanning means using the largest volume of computing resources of the protecting virtual machine may include using the scanning module 121 running on the protecting virtual machine #3 120.3, even though the fastest one may include using the scanning module 121 running on the protecting virtual machine #1 120.1.
The dynamic computing module 112 may be configured to:
    • determine the approximation time function of the characteristics of the computing resources for each protecting virtual machine 120 on the basis of an analysis of the characteristics of the computing resources collected by the collecting module 111, where the approximation function in question may be presented as:
      {C} t k =F char({{C} t i . . . {C} t j }, t k)
    • where:
      • Fchar-is the approximation time function,
      • {C}t j -are the characteristics of the computing resources of the protecting virtual machine 120 collected by the collecting module 111,
      • {C}t k -are the characteristics of the computing resources of the protecting virtual machine 120 which are accessible at the point in time tk,
      • ti, tj-is the time of determination of the characteristics of the computing resources of the protecting virtual machine 120,
      • tk-is the time for which it is necessary to determine the characteristics of the computing resources of the protecting virtual machine 120;
        and it may be defined by the parameters a1, a2, . . . ai, such that the approximation function in question may be presented in the form:
        {C} t k =F char(a 1 , a 2 , . . . , a i , t k).
    • determine the approximation function of the parameters of the antivirus scan of each scanning module 121 in dependence on the characteristics of the computing resources of the corresponding protecting virtual machine 120 on the basis of an analysis of the parameters of the antivirus scan collected by the collecting module 111, this approximation function may have the following form:
      {P} C k =F params({{P} C i . . . {P} C j }, C k),
    • where:
      • Fparams-is the approximation function,
      • {P}C i,j -are the parameters of the antivirus scan as collected by the collecting module 111, being dependent on the characteristics of the computing resources Ci,
      • {P}C k -are the presumptive parameters of the antivirus scan for the characteristics of the computing resources Ck,
      • Ci,j-are the characteristics of the computing resources of the protecting virtual machine 120, being used by the scanning module 121 when performing the antivirus scan;
        and it may be defined by the parameters b1, b2, . . . bi, so that the approximation function in question may be presented in the form:
        {P} C k =F params(b 1 , b 2 , . . . , b i , C k).
    • determine the approximation time function of the effectiveness of the antivirus scan on each protecting virtual machine 120 as a composition (function composition) of the determined functions, where the function composition is a function obtained by applying one function to the results of another function, the effectiveness of the antivirus scan characterizing the volume of computing resources needed by the protecting virtual machine 120 to achieve the established result of the antivirus scan, the approximation function in question having the form:
      E=F efficiency({F}, {C}, {P}),
    • where:
      • Fefficiency-is the approximation function,
      • {F}-are parameters characterizing the files received by the task forming module 114, where the parameters may define:
        • the file type, and
        • the file size,
      • {C}-are parameters describing the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120,
      • {P}-are parameters describing the approximation function of the parameters of the antivirus scan performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120;
        and it may be defined by the parameters e1, e2, . . . et, such that the approximation function in question may be presented in the form:
        E t k =F efficiency(e 1 , e 2 , . . . , e i , t k).
    • and transmit the determined approximation time function for the effectiveness of the antivirus scan on each protecting virtual machine 120 to the selection module 113.
The parameters defining the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120 may be the numerical coefficients for the approximation function of the kind:
F CHAR({{C} t i . . . {C} t j }=a i ×C i +a i+1 ×C i+1 + . . . +a j ×C j,
    • where:
      • {C}t i -are the characteristics of the computing resources of the protecting virtual machine 120 collected by the collecting module 111,
      • ti-is the time of gathering the characteristics of the computing resources of the protecting virtual machine 120,
      • ai-are numerical coefficients describing the approximation function.
The parameters defining the approximation function of the parameters of the antivirus scan being performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120 may include numerical coefficients for the approximation function of the kind:
F PARAMS({{P} t i . . . {P} t j }=b i ×P i +b i+1 ×P i+1 + . . . +b j ×P j,
    • where:
      • {P}c i -are the parameters of the antivirus scan being performed by the scanning module 121 as collected by the collecting module 111,
      • Ct-are the characteristics of the computing resources of the protecting virtual machine 120,
      • bt-are numerical coefficients defining the approximation function.
The workload level of the scanning module 121 of the protecting virtual machines 120 may act as the effectiveness of the antivirus scan on the protecting virtual machine 120.
The workload level of the scanning module 121 of the protecting virtual machine 120 may be calculated as the superposition of the set of parameters defining the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120 and the set of parameters defining the approximation function of the parameters of the antivirus scan being performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120, having the form:
F BUSY({F}, {C}, {P})=C({F})×P({F}),
    • where:
      • {F}-are parameters characterizing the files received by the task forming module 114,
      • {C}-are parameters defining the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120,
      • {P}-are parameters describing the approximation function of the parameters of the antivirus scan being performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120.
Regression analysis methods may be used to calculate the parameters in defining the approximation time functions.
For example, in the case where the RAM volume used to perform the antivirus scan of files is the characteristic of the computing resources of the protecting virtual machine 120, a linear function may be determined as the approximation function, as described by the formula:
F(X)=a 1 ×X+a 2
In this case, the parameters a1, a2 may be calculated as:
a 1 = n × i = 1 n t i × X i - i = 1 n t i × i = 1 n X i n × i = 1 n t 1 z - ( i = 1 n t i ) z , a 2 = i = 1 n X i - a 1 × i = 1 n t i n ,
    • where:
      • n-is the number of timestamps during which values of the RAM volume being used in the performance of the antivirus scan were obtained,
      • ti-is the timestamp of obtaining a value of the RAM volume Xi being used to perform the antivirus scan,
      • Xi-is the value of the RAM volume Xi being used to perform the antivirus scan at the point in time ti.
The selection module 113 may be configured to:
    • select the scanning module 121 on the basis of the effectiveness function of the antivirus scan obtained from the dynamic computing module 112;
    • determine for the selected scanning module 121 the start time for the performance of the antivirus scan such that at least one of the following criteria may be fulfilled:
      • the antivirus scan takes the least time;
      • the antivirus scan takes less time than scheduled;
      • the antivirus scan will be completed not later than the scheduled time;
      • a minimum number of computing resources of the protecting virtual machine 120 is needed to perform the antivirus scan;
      • fewer computing resources of the protecting virtual machine 120 than scheduled are needed to perform the antivirus scan;
    • send information on the selected scanning module 121 to the task forming module 114, containing the most effective start time for performance of the antivirus scan by the selected scanning module 121.
The selected scanning module 121 may include:
    • the scanning means able to at least perform the antivirus scan of the files determined by the task forming module 114, using the computing resources available in the scheduled time slot;
    • the scanning module 121 with the lowest calculated workload level;
    • the scanning module 121 with a calculated workload level lower than an established threshold value;
    • if an antivirus scan of not less than two files is needed, at least two scanning module 121 out of the set of scanning module 121 whose combined calculated workload level is less than the combined workload level of the remaining scanning module 121.
For example, the workload level of the scanning module 121 may be determined and calculated as follows: there are 3 files of size 10 MB, 20 MB and 50 MB, respectively, for which it is necessary to perform an antivirus scan; the scanning module 121 has presented parameters describing the antivirus scan as a signature analysis taking at most 0.01 s, while the characteristic of the protecting virtual machine 120 on which the scanning module 121 is running may have an available RAM volume of 60 MB. Signature analysis means that the file will be placed in the RAM as is, i.e., it will take up the same volume as its size. In order for the workload of the scanning module 121 to be at maximum, it needs to transmit the aforementioned 3 files in two stages: in the first stage, file #1 and file #3, in the second stage, file #2. As a result, the antivirus scan of all three files will take 0.02 s, the workload level of the scanning module 121 will be 1 and 0.3(3), respectively, and the resulting workload for the mentioned three files will be 0.6(6), which is the most optimal result, given that during the scanning of file #2 the scanning module 121 will have sufficient computing resources to process new files. In the present case, the workload level may be calculated as:
F BUSY({F}, {C}, {P})=FILESIZE×SERVERTIME×MEMORYFREE.
The task forming module 114 may be configured to:
    • determine the files of the protected virtual machine 100 on which the thin client module 110 is running for performance of the antivirus scan;
    • send commands to the collecting module 111 to perform the collection of the characteristics of the computing resources of the protecting virtual machines 120 and the parameters of the antivirus scan of the scanning module 121; and
    • transfer the determined files to the scanning module 121, the information on which has been provided by the selection module 113, according to the scanning time as determined by the selection module 113.
For example, in the case where the scanning module 121 of the protecting virtual machine 120 has been selected, the antivirus scan of the file may be performed at once or after a certain time. In the event that the scanning module 121 is already performing an antivirus scan of files received from the task forming module 113 prior to this, the antivirus scan of the new file may not be done, and the file may be stored (for example, on the hard drive of the protecting virtual machine 120) until the antivirus scan being performed is finished, after which the file may be loaded from the hard drive into memory, and the scanning module 121 may perform the antivirus scan. In the described working logic of the scanning module 121, two time-consuming but non-mandatory operations (if the work is organized properly) may be performed—the writing of the file to disk and the reading of the file from disk. But if the mentioned file is dispatched to the scanning module 121 not right after the selection of the scanning module 121, but during a later time when the scanning module 121 may have performed its previous tasks, the antivirus scan of the file may be performed more quickly.
In one exemplary aspect, detecting of malicious files of a distribution of 1000 files, of total volume 1 GB, by a thin client 110 of a protected virtual machine 100 among three protecting virtual machines 120 (120.1, 120.2 and 120.3) may be performned. Scanning module 121 for performing an antivirus scan may employ signature analysis, heuristic analysis, and an analysis according to white and black lists, respectively. Each type of the aforementioned analysis methods may have its own effectiveness (0.6, 0.95 and 0.1, respectively) and may require its own computing resources (200 MB of free RAM, CPU with operating speed not less than 100 MFLOPS plus 50 MB of free RAM and CPU with operating speed not less than 10 MFLOPS plus 10 MB of free RAM, respectively), which means that on average each scanning module 121 may process the file in 0.01, 0.1 and 0.002 s, respectively.
In the beginning, when no statistics on the working of the protecting virtual machine 120 may be available, the files may be distributed uniformly by the task forming module 114 in accordance with how fast the given protecting virtual machine 120 may perform the antivirus scan. In the course of time, the dynamic computing module 112 may accumulate statistics on the characteristics of the computing resources and the parameters of the antivirus scan of all the protecting virtual machines 120 at different points in time, which makes it possible to calculate the approximation functions of the characteristics and the parameters.
For the protecting virtual machine #1 120.1, only the volume of free RAM may be important, the change in which obeys the linear time law M(t)=a1×t+a2. On the basis of the collected data {Mi, ti}, the parameters a1and a2 may be calculated by the method of least squares, which makes it possible to predict how much available RAM the protecting virtual machine #1 120.1 may have at the time ti of sending of the file for performance of the antivirus scan to the scanning module 121 of the protecting virtual machine #1 120.1. Knowing how much RAM may be available at any given point in time, the task forming module 114 may estimate which files maybe sent to the scanning module 121 in order for those files to be processed in a minimum time.
Similar steps are taken for the protecting virtual machine #2 120.2 and #3 120.3, where besides the RAM the CPU operating speed may also be used. By estimating the CPU load of the protecting virtual machine 120, which obeys the law B(t)=a1×t3+a2×t2+a3×t+a4, the parameters a1, a2, a3, a4 may be calculated. After this, the CPU load of the protecting virtual machine 120 at the time ti of sending the file for performance of the antivirus scan to the scanning module 121 of the protecting virtual machine #2 120.2 (or #3 120.3) is predicted. In this way, one achieves the effect that the CPU of the protecting virtual machine 120 has a maximum effective load.
As a result of the distribution of tasks among the scanning module 121 of the various protecting virtual machines 120, an increase in the speed of performance of the antivirus scan for the files of the protected virtual machine 100 may be accomplished, since the protecting virtual machines 120 may be used with higher effectiveness than in the case of a uniform or random distribution of files among the protecting virtual machines 120.
FIG. 2 illustrates an exemplary method for detecting malicious files on a virtual machine according to aspects of the invention. The structural diagram of the method of detection of malicious files on a virtual machine may comprise the step 211, in which files may be determined for performance of the antivirus scan, step 212, in which the characteristics of the computing resources may be collected, step 213, in which the approximation time function may be determined for the characteristics of the computing resources, step 214, in which the parameters of the antivirus scan may be collected, step 215, in which the approximation function may be determined for the parameters of the antivirus scan in dependence on the characteristics of the computing resources, step 216, in which the approximation time function may be determined for the effectiveness of the antivirus scan, step 217, in which the scanning module 121 may be selected, step 218 in which the most effective start time may be determined for performing the antivirus scan, step 221, in which the antivirus scan may be performed, and step 222, in which a verdict may be pronounced as to the detection of a malicious file.
In step 211, the files stored in the storage of files 101 of the protected virtual machine 100 on which the aforementioned thin client 110 is running may be determined for the performance of the antivirus scan.
In step 212, the characteristics of the computing resources of the protecting virtual machine 120 on which the scanning module 121 is running may be determined and collected.
In one exemplary aspect, step 212 may be performed at the same time as step 214.
The characteristics of the computing resources of the protecting virtual machine 120 may include:
    • the time passed between the receiving of the files from the task forming module 114 to the pronouncing of the verdict by the scanning module 121;
    • the number of files transmitted to the scanning module 121 for the antivirus scan; and
    • the computing capacity of the protecting virtual machine 120 on which the scanning module 121 is running.
The computing capacity of the protecting virtual machine 120 on which the scanning module 121 is running may include:
    • the RAM of the protecting virtual machine 120 in which the scanning module 121 is running;
    • the CPU performance of the protecting virtual machine 120.
In step 213, the approximation time function of the characteristics of the computing resources for each protecting virtual machine 120 may be determined on the basis of an analysis of the characteristics of the computing resources collected in step 212, where the approximation function in question may have the form:
{C} t k =F char({{C} t i . . . {C} t j }, t k),
    • where:
      • Fchar-is the approximation time function,
      • {C}t i,j -are the characteristics of the computing resources of the protecting virtual machine 120 collected in step 212,
      • {C}t k -are the characteristics of the computing resources of the protecting virtual machine 120 which are accessible at the point in time tk,
      • ti, tj-is the time of determination of the characteristics of the computing resources of the protecting virtual machine 120,
      • tk-is the time for which it is necessary to determine the characteristics of the computing resources of the protecting virtual machine 120;
        and it may be defined by the parameters a1, a2, . . . ai, that the approximation function in question may be presented in the form:
        {C} t k =F char(a 1 , a 2 , . . . , a i , t k).
The parameters defining the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120 may include the numerical coefficients for the approximation function of the kind:
F CHAR({{C} t i . . . {C} t j }=a i ×C i +a i+1 ×C i+1 + . . . +a j ×C j,
    • where:
      • {C}t i -are the characteristics of the computing resources of the protecting virtual machine 120 collected by the collecting module 111,
      • ti-is the time of gathering the characteristics of the computing resources of the protecting virtual machine 120,
      • ai-are numerical coefficients describing the approximation function.
Regression analysis methods may be used to calculate the parameters describing the approximation time functions.
In step 214, the parameters of the antivirus scan of the scanning module 121 which may be installed on the corresponding protecting virtual machines 120 may be determined, these parameters dictating the rules of use by the scanning module 121 of the computing resources of the corresponding protecting virtual machines 120.
In one exemplary aspect, step 214 may be performed at the same time as step 212.
The parameters of the antivirus scan being performed by the scanning module 121 may include:
    • the methods of detection of malicious files that are used by the scanning module 121 to perform the antivirus scan, where the methods of detection of malicious files may include:
      • signature analysis,
      • heuristic analysis,
      • analysis of emulation results, and
      • analysis of black and white lists;
    • the characteristics of the computing resources, the characteristics being used by the scanning module 121 to perform the antivirus scan.
The parameters which may define the methods of detection of malicious files may include:
    • the maximum time during which the antivirus scan takes place; and
    • the depth of emulation of the files being scanned.
In step 215, the approximation function of the parameters of the antivirus scan of each scanning module 121 in dependence on the characteristics of the computing resources of the corresponding protecting virtual machine 120 may be determined on the basis of an analysis of the parameters of the antivirus scan collected in step 214, this approximation function having the form:
{P} C k =F params({{P} C i . . . {P} C j }, C k),
    • where:
      • Fparams-is the approximation function,
      • {P}C i,j -are the parameters of the antivirus scan as collected by the collecting module 111, being dependent on the characteristics of the computing resources
      • {P}C k -are the presumptive parameters of the antivirus scan for the characteristics of the computing resources Ck,
      • Ci,j-are the characteristics of the computing resources of the protecting virtual machine 120, being used by the scanning module 121 when performing the antivirus scan;
        and being defined by the parameters b1, b2, . . . bi, so that the approximation function in question may be presented in the form:
        {P} C k =F params(b 1 , b 2 , . . . , b i , C k).
The parameters defining the approximation function of the parameters of the antivirus scan being performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120 may include numerical coefficients for the approximation function of the kind:
F PARAMS({{P} t i . . . {P} t j }=b i ×P i +b i+1 ×P i+1 + . . . +b j ×P j,
    • where:
      • {P}C i -are the parameters of the antivirus scan being performed by the scanning module 121 as collected by the collecting module 111,
      • Ci-are the characteristics of the computing resources of the protecting virtual machine 120,
      • bi-are numerical coefficients defining the approximation function.
In step 216, the approximation time function of the effectiveness of the antivirus scan on each protecting virtual machine 120 may be determined as a composition of the functions determined in steps 213 and 215, where the function composition may include a function obtained by applying one function to the results of another function, the effectiveness of the antivirus scan characterizing the volume of computing resources needed by the protecting virtual machine 120 to achieve the established result of the antivirus scan, the approximation function in question having the form:
E=F efficiency({F}, {C}, {P}),
    • where:
      • Fefficiency-is the approximation function,
      • {F}-are parameters characterizing the files received by the task forming module 114, where the parameters may include:
        • the file type, and
        • the file size,
      • {C}-are parameters describing the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120,
      • {P}-are parameters describing the approximation function of the parameters of the antivirus scan performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120;
        and it may be defined by the parameters e1, e2, . . . ei, such that the approximation function in question may be presented in the form:
        E t k =F efficiency(e 1 , e 2 , . . . , e i , t k).
The workload level of the scanning module 121 of the protecting virtual machines 120 may act as the effectiveness of the antivirus scan on the protecting virtual machine 120.
The workload level of the scanning module 121 of the protecting virtual machine 120 may be calculated as the superposition of the set of parameters defining the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120 and the set of parameters defining the approximation function of the parameters of the antivirus scan being performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120, having the form:
F BUSY({F}, {C}, {P})=C({F})×P({F}),
    • where:
      • {F}-are parameters characterizing the files received by the task forming module 114,
      • {C}-are parameters describing the approximation time function of the characteristics of the computing resources of the protecting virtual machine 120,
      • {P}-are parameters describing the approximation function of the parameters of the antivirus scan being performed by the scanning module 121 in dependence on the characteristics of the computing resources of the protecting virtual machine 120.
In step 217, the scanning module 121 may be configured to select a suitable scanning module in a distributed network having a plurality of protected and protecting virtual machines on the basis of the effectiveness function of the antivirus scan obtained in step 216.
The selected scanning module 121 may be configured to determine:
    • a scanning module of one of the plurality of protecting virtual machines in the distributed network that is able to at least perform the antivirus scan of the files determined by the task forming module 114, using the computing resources available in the scheduled time slot;
    • the scanning module 121 with the lowest calculated workload level;
    • one scanning module 121 with a calculated workload level lower than an established threshold value;
    • no less than two scanning module 121 out of the set of scanning module 121 whose combined calculated workload level is less than the combined workload level of the remaining scanning module 121 out of the set of scanning module 121.
In step 218, the start time for performing the antivirus scan may be determined for the scanning module 121 selected in step 217, so that at least one of the following criteria may be fulfilled:
    • the antivirus scan takes the least time;
    • the antivirus scan takes less time than scheduled;
    • the antivirus scan will be completed not later than the scheduled time;
    • a minimum number of computing resources of the protecting virtual machine 120 is needed to perform the antivirus scan;
    • fewer computing resources of the protecting virtual machine 120 than scheduled are needed to perform the antivirus scan;
In step 221, the antivirus scan may be performed on the files determined in step 211.
In step 222, a verdict may be pronounced as to the detection of malicious files.
FIG. 3 illustrates the approximation time function of the characteristics of computing resources of protecting virtual machines according to aspects of the invention. The graph of the approximation time function of the characteristics of the computing resources of the protecting virtual machines 301 may contain the time characteristics of the computing resources of the protecting virtual machine 302 and the plotted approximation function 303.
The approximation time function 301 of the characteristics of the computing resources of the protecting virtual machine 120 may be determined by the dynamic computing module 112, which works as part of the thin client 110 on the protected virtual machine 100, on the basis of data characterizing the protecting virtual machine 120, obtained from the collecting module 111, which works as part of the aforementioned thin client 110.
The time characteristics of the computing resources of the protecting virtual machine 302 may include the workload level of the CPU of the protecting virtual machine (expressed in percent, from 0% to 100%) in dependence on time (expressed in seconds, from 0 to 50).
The characteristics of the computing resources of the protecting virtual machine 302 are available for 49 timestamps {X}t i . The problem is to construct an approximation function 303 with which one may calculate the presumptive workload of the protecting virtual machine at time t50. For this purpose, one may employ one of several methods of regression analysis, such as the method of least squares.
In the first step, one of the functions defining the approximation function may be selected, such as a polynomial function of 6th degree:
F CHAR(X)=a 1 ×X 1 +a 2 ×X 2 + . . . +a 6 ×X 6.
In the next step, the system of equations may be solved to calculate the coefficients of the equation FCHAR(X)a1 . . . a6, so that the condition may be fulfilled:
Σt i (X t i −F CHAR(X))2→minX(a 1 . . . a 6).
After the coefficients a1 . . . a6 have been calculated, and knowing the value of time t50, the value of the presumptive CPU load of the protecting virtual machine may be calculated. For the data depicted in the graph 301 for time t50=50 s, this may amount to X50=85%.
FIG. 4 illustrates the approximation time functions of the characteristics of computing resources of several protecting virtual machines according to apsects of the invention. The graph of the approximation time functions of the characteristics of the computing resources of several protecting virtual machines 400 may contain the time characteristics of the computing resources of the protecting virtual machines 401, 411 and 421, the approximation functions 402, 412 and 422 respectively plotted on the basis of an analysis of the time characteristics of the computing resources of the protecting virtual machines, and the resulting combined approximation function 430.
The approximation time functions 402, 412 and 422 of the characteristics of the computing resources of the protecting virtual machines 120.1, 120.2 and 120.3 respectively may be determined by the dynamic computing module 112, operating as part of the thin client 110 on the protected virtual machine 100 on the basis of the data characterizing the protecting virtual machines 120.1, 120.2 and 120.3 and obtained from the collecting module 111, operating as part of the aforementioned thin client 110.
The approximation time functions of the characteristics of the computing resources of the protecting virtual machines 401, 411 and 421 may be obtained by the methods discussed in the description of FIG. 3.
The time characteristics of the computing resources of the protecting virtual machines 401, 411 and 421 may include the workload level of the CPU of each of the protecting virtual machine (expressed in percent, from 0% to 100%) in dependence on time (expressed in seconds, from 0 to 25).
After calculating the approximation time functions of the CPU load of each protecting virtual machine, the approximation function of the combined load of the CPUs of the system of all protecting virtual machines 430 may be calculated:
X ji {a j}i.
For the selection of the time of sending the file for scanning to the protection server 120 of one of the protecting virtual machines, it may be necessary to determine when the combined load of the CPUs of all the protecting virtual machines may be at minimum. Knowing the time of minimum combined load of the CPUs of the protecting virtual machines, the protecting virtual machine with the minimum CPU load out of all available protecting virtual machines may be selected, and its protection server 120 may be sent the file for performance of an antivirus scan.
FIG. 5 illustrates an example computer system (which may be a personal computer or a server) on which the disclosed systems and methods can be implemented according to aspects of the invention. As shown, the computer system 20 (which may be a personal computer or a server) includes a central processing unit 21, a system memory 22 and a system bus 23 connecting the various system components, including the memory associated with the central processing unit 21. As will be appreciated by those of ordinary skill in the art, the system bus 23 may comprise a bus memory or bus memory controller, a peripheral bus, and a local bus that is able to interact with any other bus architecture. The system memory may include permanent memory (ROM) 24 and random-access memory (RAM) 25. The basic input/output system (BIOS) 26 may store the basic procedures for transfer of information between elements of the computer system 20, such as those at the time of loading the operating system with the use of the ROM 24.
The computer system 20, may also comprise a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing on removable magnetic disks 29, and an optical drive 30 for reading and writing removable optical disks 31, such as CD-ROM, DVD-ROM and other optical media. The hard disk 27, the magnetic disk drive 28, and the optical drive 30 are connected to the system bus 23 across the hard disk interface 32, the magnetic disk interface 33 and the optical drive interface 34, respectively. The drives and the corresponding computer information media are power-independent modules for storage of computer instructions, data structures, program modules and other data of the computer system 20.
An exemplary aspect comprises a system that uses a hard disk 27, a removable magnetic disk 29 and a removable optical disk 31 connected to the system bus 23 via the controller 55. It will be understood by those of ordinary skill in the art that any type of media 56 that is able to store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random-access memory (RAM) and so on) may also be utilized.
The computer system 20 has a file system 36, in which the operating system 35, may be stored, as well as additional program applications 37, other program modules 38, and program data 39. A user of the computer system 20 may enter commands and information using keyboard 40, mouse 42, or any other input device known to those of ordinary skill in the art, such as, but not limited to, a microphone, joystick, game controller, scanner, etc.. Such input devices typically plug into the computer system 20 through a serial port 46, which in turn is connected to the system bus, but those of ordinary skill in the art will appreciate that input devices may be also be connected in other ways, such as, without limitation, via a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device may also be connected to the system bus 23 across an interface, such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not shown), such as loudspeakers, a printer, etc.
Computer system 20 may operate in a network environment, using a network connection to one or more remote computers 49. The remote computer (or computers) 49 may be local computer workstations or servers comprising most or all of the aforementioned elements in describing the nature of a computer system 20. Other devices may also be present in the computer network, such as, but not limited to, routers, network stations, peer devices or other network nodes.
Network connections can form a local-area computer network (LAN) 50 and a wide-area computer network (WAN). Such networks are used in corporate computer networks and internal company networks, and they generally have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local-area network 50 across a network adapter or network interface 51. When networks are used, the computer system 20 may employ a modem 54 or other modules well known to those of ordinary skill in the art that enable communications with a wide-area computer network such as the Internet. The modem 54, which may be an internal or external device, may be connected to the system bus 23 by a serial port 46. It will be appreciated by those of ordinary skill in the art that said network connections are non-limiting examples of numerous well-understood ways of establishing a connection by one computer to another using communication modules.
In various aspects, the systems and methods described herein may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the methods may be stored as one or more instructions or code on a non-transitory computer-readable medium. Computer-readable medium includes data storage. By way of example, and not limitation, such computer-readable medium can comprise RAM, ROM, EEPROM, CD-ROM, Flash memory or other types of electric, magnetic, or optical storage medium, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a processor of a general purpose computer.
In various aspects, the systems and methods described in the present disclosure can be addressed in terms of modules. The term “module” as used herein refers to a real-world device, component, or arrangement of components implemented using hardware, such as by an application specific integrated circuit (ASIC) or field-programmable gate array (FPGA), for example, or as a combination of hardware and software, such as by a microprocessor system and a set of instructions to implement the module's functionality, which (while being executed) transform the microprocessor system into a special-purpose device. A module may also be implemented as a combination of the two, with certain functions facilitated by hardware alone, and other functions facilitated by a combination of hardware and software. In certain implementations, at least a portion, and in some cases, all, of a module may be executed on the processor of a general purpose computer (such as the one described in greater detail in FIG. 4, supra). Accordingly, each module may be realized in a variety of suitable configurations, and should not be limited to any particular implementation exemplified herein.
In the interest of clarity, not all of the routine features of the aspects are disclosed herein. It would be appreciated that in the development of any actual implementation of the present disclosure, numerous implementation-specific decisions must be made in order to achieve the developer's specific goals, and these specific goals will vary for different implementations and different developers. It is understood that such a development effort might be complex and time-consuming, but would nevertheless be a routine undertaking of engineering for those of ordinary skill in the art, having the benefit of this disclosure.
Furthermore, it is to be understood that the phraseology or terminology used herein is for the purpose of description and not of restriction, such that the terminology or phraseology of the present specification is to be interpreted by the skilled in the art in light of the teachings and guidance presented herein, in combination with the knowledge of the skilled in the relevant art(s). Moreover, it is not intended for any term in the specification or claims to be ascribed an uncommon or special meaning unless explicitly set forth as such.
The various aspects disclosed herein encompass present and future known equivalents to the known modules referred to herein by way of illustration. Moreover, while aspects and applications have been shown and described, it would be apparent to those skilled in the art having the benefit of this disclosure that many more modifications than mentioned above are possible without departing from the inventive concepts disclosed herein.

Claims (20)

The invention claimed is:
1. A method for detecting malicious files in a distributed network having a plurality of protected virtual machines, the method comprising:
obtaining, by a first protected virtual machine of the plurality of protected virtual machines, at least one file from a thin client installed on the first protected virtual machine, for performing an antivirus scan of the at least one file;
collecting, by the first protected virtual machine, data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;
determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;
determining an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;
determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and
based at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.
2. The method of claim 1, wherein selecting the at least one virtual machine comprises determining the most effective start time for performing the antivirus scan by fulfilling at least on one of the following criteria:
the antivirus scan taking the least time;
the antivirus scan taking less time than scheduled;
the antivirus scan that will be completed no later than a scheduled time;
a minimum number of computing resources of the virtual machine is needed to perform the antivirus scan; or
fewer computing resources of the virtual machine than scheduled are needed to perform the antivirus scan.
3. The method of claim 1, wherein selecting at least one virtual machine comprises:
detecting that the at least one virtual machine is able to at least perform the antivirus scan of the at least one file using computing resources available in a scheduled time slot;
detecting the at least one virtual machine with the lowest calculated workload level among the plurality of virtual machines in the distributed network;
detecting the at least one virtual machine with a calculated workload level lower than an established threshold value; or
detecting no less than two virtual machines of the plurality of virtual machines whose combined calculated workload level is less than the combined workload level of the remaining virtual machines of the plurality of virtual machines.
4. The method of claim 1, wherein collecting the data relating to the characteristics of computing resources of the plurality of virtual machines comprises at least one of:
detecting a time period between obtaining the at least one file and determining whether the at least one file is malicious;
detecting a number of files transmitted to the virtual machine for the antivirus scan; and
determining a computing capacity of each of the plurality of the virtual machines.
5. The method of claim 1, wherein the one or more parameters relating to the antivirus scan comprise at least one of:
methods for detecting malicious files used by the plurality of virtual machines, the methods comprising at least one of: a signature analysis, a heuristic analysis, an analysis of emulation results, and an analysis of black and white lists; and
the characteristics of computing resources of the plurality of virtual machines used for performing the antivirus scan,
wherein parameters for the methods for detecting malicious files comprise: maximum time of the antivirus scan and depth of emulation of the at least one file being scanned.
6. The method of claim 5, wherein the methods for detecting malicious files are determined based at least on the maximum time during which the antivirus scan takes place, and an emulation depth of files being scanned.
7. The method of claim 1, wherein the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine.
8. The method of claim 1, wherein the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of each virtual machine for performing the antivirus scan.
9. The method of claim 1, wherein the approximation time function of effectiveness of the antivirus scan is determined based on parameters defining a type and size of the at least one file.
10. A system for detecting malicious files in a distributed network having a plurality of protected virtual machines, the system comprising:
a hardware processor, configured to:
obtain at least one file from a thin client installed on a first protected virtual machine, for performing an antivirus scan of the at least one file;
collect data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;
determine an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;
determine an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;
determine an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and
based at least on the approximation time function of effectiveness of the antivirus scan, select at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.
11. The system of claim 10, wherein the hardware processor is configured to select the at least one virtual machine from the plurality of virtual machines to perform the antivirus scan by determining the most effective start time for performing the antivirus scan by fulfilling at least on one of the following criteria:
the antivirus scan taking the least time;
the antivirus scan taking less time than scheduled;
the antivirus scan that will be completed no later than a scheduled time;
a minimum number of computing resources of the virtual machine is needed to perform the antivirus scan; or
fewer computing resources of the virtual machine than scheduled are needed to perform the antivirus scan.
12. The system of claim 10, wherein the virtual machine hardware processor is configured to select the at least one virtual machine from the plurality of virtual machines to perform the antivirus scan by:
detecting that the at least one virtual machine is able to at least perform the antivirus scan of the at least one file using computing resources available in a scheduled time slot;
detecting the at least one virtual machine with the lowest calculated workload level among the plurality of virtual machines in the distributed network;
detecting the at least one virtual machine with a calculated workload level lower than an established threshold value; or
detecting no less than two virtual machines of the plurality of virtual machines whose combined calculated workload level is less than the combined workload level of the remaining virtual machines of the plurality of virtual machines.
13. The system of claim 10, wherein the hardware processor is configured to collect the data relating to the characteristics of computing resources of the plurality of virtual machines via at least one of:
detecting a time period between obtaining the at least one file and determining whether the at least one file is malicious;
detecting a number of files transmitted to the virtual machine for the antivirus scan; and
determining a computing capacity of each of the plurality of the virtual machines.
14. The system of claim 10, wherein the one or more parameters relating to the antivirus scan comprise at least one of:
methods for detecting malicious files used by the plurality of virtual machines, the methods comprising at least one of: a signature analysis, a heuristic analysis, an analysis of emulation results, and an analysis of black and white lists; and
the characteristics of computing resources of the plurality of virtual machines used for performing the antivirus scan,.
wherein parameters for the methods for detecting malicious files comprise: maximum time of the antivirus scan and depth of emulation of the at least one file being scanned.
15. The system of claim 14, wherein the methods for detecting malicious files are determined based at least on the maximum time during which the antivirus scan takes place, and an emulation depth of files being scanned.
16. The system of claim 10, wherein the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine.
17. The system of claim 10, wherein the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of each virtual machine for performing the antivirus scan.
18. The system of claim 10, wherein the approximation time function of effectiveness of the antivirus scan is determined based on parameters defining a type and size of the at least one file.
19. A non-transitory computer readable medium storing thereon computer executable instructions for detecting malicious files in a distributed network having a plurality of protected virtual machines, including instructions for:
obtaining, by a first protected virtual machine of the plurality of protected virtual machines, at least one file from a thin client installed on the first protected virtual machine, for performing an antivirus scan of the at least one file;
collecting, by the first protected virtual machine, data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;
determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;
determining an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;
determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and
based at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.
20. The computer readable medium of claim 19, wherein the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine, and
wherein the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of each virtual machine for performing the antivirus scan.
US15/432,068 2016-05-20 2017-02-14 System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans Active 2037-07-21 US10496819B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2017093979A JP6469165B2 (en) 2016-05-20 2017-05-10 System and method for distributing files between virtual machines constituting a distributed system for performing anti-virus scanning
EP17172049.3A EP3246842B1 (en) 2016-05-20 2017-05-19 System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans
CN201710363585.7A CN107403094B (en) 2016-05-20 2017-05-22 System and method for distributing files among virtual machines forming a distributed system to perform anti-virus scanning

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
RU2016119518A RU2628923C1 (en) 2016-05-20 2016-05-20 System and method of distribution of files between virtual machines entering distributed system of virtual machines to implement anti-virus check
RU2016119518 2016-05-20

Publications (2)

Publication Number Publication Date
US20170337377A1 US20170337377A1 (en) 2017-11-23
US10496819B2 true US10496819B2 (en) 2019-12-03

Family

ID=59744878

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/432,068 Active 2037-07-21 US10496819B2 (en) 2016-05-20 2017-02-14 System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans

Country Status (4)

Country Link
US (1) US10496819B2 (en)
JP (1) JP6469165B2 (en)
CN (1) CN107403094B (en)
RU (1) RU2628923C1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10831520B2 (en) * 2018-01-11 2020-11-10 Nicira, Inc. Object to object communication between hypervisor and virtual machines

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2628923C1 (en) 2016-05-20 2017-08-22 Акционерное общество "Лаборатория Касперского" System and method of distribution of files between virtual machines entering distributed system of virtual machines to implement anti-virus check
CN108337232A (en) * 2017-12-26 2018-07-27 努比亚技术有限公司 Network anomaly detection method, Network Security Device and computer readable storage medium
US10862922B2 (en) * 2018-07-03 2020-12-08 Emc Corporation Server selection for optimized malware scan on NAS
US11593480B2 (en) * 2018-07-24 2023-02-28 EMC IP Holding Company LLC Predictive scheduled anti-virus scanning
RU2739865C2 (en) * 2018-12-28 2020-12-29 Акционерное общество "Лаборатория Касперского" System and method of detecting a malicious file
RU2724801C1 (en) * 2019-02-07 2020-06-25 Акционерное общество "Лаборатория Касперского" Method of balancing load on virtual protection machines, provided that selection area of virtual protection machines
US11340964B2 (en) * 2019-05-24 2022-05-24 International Business Machines Corporation Systems and methods for efficient management of advanced functions in software defined storage systems
CN112579249B (en) * 2019-09-30 2024-09-10 奇安信安全技术(珠海)有限公司 Multi-CPU virtual machine operation method and device, storage medium, and computer equipment
AU2021419776B2 (en) * 2021-01-13 2024-08-29 Nippon Telegraph And Telephone Corporation Falsification detecting device, falsification detecting method, and falsification detecting program
US12386956B1 (en) * 2021-10-26 2025-08-12 NTT DATA Services, LLC Automatic discovery and enterprise control of a robotic workforce

Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6016546A (en) * 1997-07-10 2000-01-18 International Business Machines Corporation Efficient detection of computer viruses and other data traits
US20050149749A1 (en) * 2003-12-30 2005-07-07 Luc Van Brabant On-access and on-demand distributed virus scanning
US20060136720A1 (en) * 2004-12-21 2006-06-22 Microsoft Corporation Computer security management, such as in a virtual machine or hardened operating system
US20070240217A1 (en) * 2006-04-06 2007-10-11 George Tuvell Malware Modeling Detection System And Method for Mobile Platforms
US20090158432A1 (en) * 2007-12-12 2009-06-18 Yufeng Zheng On-Access Anti-Virus Mechanism for Virtual Machine Architecture
GB2466120A (en) 2008-12-11 2010-06-16 Scansafe Ltd Detecting malware by comparing files with models of normal files
US20110078318A1 (en) 2009-06-30 2011-03-31 Nitin Desai Methods and systems for load balancing using forecasting and overbooking techniques
US20110261811A1 (en) 2010-04-26 2011-10-27 International Business Machines Corporation Load-balancing via modulus distribution and tcp flow redirection due to server overload
US20110296382A1 (en) * 2010-05-27 2011-12-01 Michael Pasternak Mechanism for Dynamic Software Testing Using Test Entity
US20120192276A1 (en) 2011-01-21 2012-07-26 International Business Machines Corporation Selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request
US20120233696A1 (en) * 2011-03-09 2012-09-13 Beijing Netqin Technology Co., Ltd. Method and system for antivirus by sim card combined with cloud computing
US20120304244A1 (en) * 2011-05-24 2012-11-29 Palo Alto Networks, Inc. Malware analysis system
US8370943B1 (en) 2009-10-28 2013-02-05 Netapp, Inc. Load balancing of scan requests to all antivirus servers in a cluster
US20130097706A1 (en) * 2011-09-16 2013-04-18 Veracode, Inc. Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security
US20140137255A1 (en) * 2011-08-09 2014-05-15 Huawei Technologies Co., Ltd. Method, System, and Apparatus for Detecting Malicious Code
US9088618B1 (en) 2014-04-18 2015-07-21 Kaspersky Lab Zao System and methods for ensuring fault tolerance of antivirus protection realized in a virtual environment
US9152789B2 (en) 2008-05-28 2015-10-06 Zscaler, Inc. Systems and methods for dynamic cloud-based malware behavior analysis
US9154519B1 (en) * 2015-02-20 2015-10-06 AO Kaspersky Lab System and method for antivirus checking of objects from a plurality of virtual machines
US9165142B1 (en) * 2013-01-30 2015-10-20 Palo Alto Networks, Inc. Malware family identification using profile signatures
US20160314297A1 (en) * 2013-12-30 2016-10-27 Huawei Technologies Co., Ltd. Method and Apparatus for Implementing Virtual Machine Introspection
US9489516B1 (en) * 2014-07-14 2016-11-08 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
JP2017215954A (en) 2016-05-20 2017-12-07 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for distributing files between virtual machines forming distributed system for performing antivirus scans

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080301796A1 (en) * 2007-05-31 2008-12-04 Microsoft Corporation Adjusting the Levels of Anti-Malware Protection
US8516478B1 (en) * 2008-06-12 2013-08-20 Mcafee, Inc. Subsequent processing of scanning task utilizing subset of virtual machines predetermined to have scanner process and adjusting amount of subsequest VMs processing based on load
JP5446167B2 (en) * 2008-08-13 2014-03-19 富士通株式会社 Antivirus method, computer, and program
CN101587527B (en) * 2009-07-08 2011-12-28 北京东方微点信息技术有限责任公司 Method and apparatus for scanning virus program
RU2494453C2 (en) * 2011-11-24 2013-09-27 Закрытое акционерное общество "Лаборатория Касперского" Method for distributed performance of computer security tasks
RU2477520C1 (en) * 2012-03-14 2013-03-10 Закрытое акционерное общество "Лаборатория Касперского" System and method for device configuration-based dynamic adaptation of antivirus application functional
US9571507B2 (en) * 2012-10-21 2017-02-14 Mcafee, Inc. Providing a virtual security appliance architecture to a virtual cloud infrastructure
US9495180B2 (en) * 2013-05-10 2016-11-15 Fireeye, Inc. Optimized resource allocation for virtual machines within a malware content detection system
US9563455B2 (en) * 2013-10-28 2017-02-07 Intel Corporation Virtualization exceptions
CN104298918B (en) * 2014-09-12 2018-08-21 北京云巢动脉科技有限公司 A kind of virus scan method and system in virtual machine based on data block

Patent Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6016546A (en) * 1997-07-10 2000-01-18 International Business Machines Corporation Efficient detection of computer viruses and other data traits
US20050149749A1 (en) * 2003-12-30 2005-07-07 Luc Van Brabant On-access and on-demand distributed virus scanning
US20060136720A1 (en) * 2004-12-21 2006-06-22 Microsoft Corporation Computer security management, such as in a virtual machine or hardened operating system
US20070240217A1 (en) * 2006-04-06 2007-10-11 George Tuvell Malware Modeling Detection System And Method for Mobile Platforms
US20090158432A1 (en) * 2007-12-12 2009-06-18 Yufeng Zheng On-Access Anti-Virus Mechanism for Virtual Machine Architecture
US9152789B2 (en) 2008-05-28 2015-10-06 Zscaler, Inc. Systems and methods for dynamic cloud-based malware behavior analysis
GB2466120A (en) 2008-12-11 2010-06-16 Scansafe Ltd Detecting malware by comparing files with models of normal files
US20110078318A1 (en) 2009-06-30 2011-03-31 Nitin Desai Methods and systems for load balancing using forecasting and overbooking techniques
US8370943B1 (en) 2009-10-28 2013-02-05 Netapp, Inc. Load balancing of scan requests to all antivirus servers in a cluster
US20110261811A1 (en) 2010-04-26 2011-10-27 International Business Machines Corporation Load-balancing via modulus distribution and tcp flow redirection due to server overload
US20110296382A1 (en) * 2010-05-27 2011-12-01 Michael Pasternak Mechanism for Dynamic Software Testing Using Test Entity
US20120192276A1 (en) 2011-01-21 2012-07-26 International Business Machines Corporation Selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request
US20120233696A1 (en) * 2011-03-09 2012-09-13 Beijing Netqin Technology Co., Ltd. Method and system for antivirus by sim card combined with cloud computing
US20120304244A1 (en) * 2011-05-24 2012-11-29 Palo Alto Networks, Inc. Malware analysis system
US20140137255A1 (en) * 2011-08-09 2014-05-15 Huawei Technologies Co., Ltd. Method, System, and Apparatus for Detecting Malicious Code
US20130097706A1 (en) * 2011-09-16 2013-04-18 Veracode, Inc. Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security
US9165142B1 (en) * 2013-01-30 2015-10-20 Palo Alto Networks, Inc. Malware family identification using profile signatures
US20160314297A1 (en) * 2013-12-30 2016-10-27 Huawei Technologies Co., Ltd. Method and Apparatus for Implementing Virtual Machine Introspection
US9088618B1 (en) 2014-04-18 2015-07-21 Kaspersky Lab Zao System and methods for ensuring fault tolerance of antivirus protection realized in a virtual environment
US9489516B1 (en) * 2014-07-14 2016-11-08 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
US9154519B1 (en) * 2015-02-20 2015-10-06 AO Kaspersky Lab System and method for antivirus checking of objects from a plurality of virtual machines
JP2017215954A (en) 2016-05-20 2017-12-07 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for distributing files between virtual machines forming distributed system for performing antivirus scans

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Asit More, et al., Dynamic malware detection and recording using virtual machine introspection, Jul. 12-12, 2013, DSCI-Best Practices Meet 2013, pp. 1-6. *
Asit More, et al., Dynamic malware detection and recording using virtual machine introspection, Jul. 12-12, 2013, DSCI—Best Practices Meet 2013, pp. 1-6. *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10831520B2 (en) * 2018-01-11 2020-11-10 Nicira, Inc. Object to object communication between hypervisor and virtual machines

Also Published As

Publication number Publication date
JP2017215954A (en) 2017-12-07
JP6469165B2 (en) 2019-02-13
CN107403094B (en) 2021-06-04
CN107403094A (en) 2017-11-28
US20170337377A1 (en) 2017-11-23
RU2628923C1 (en) 2017-08-22

Similar Documents

Publication Publication Date Title
US10496819B2 (en) System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans
US10878090B2 (en) System and method of detecting malicious files using a trained machine learning model
RU2739865C2 (en) System and method of detecting a malicious file
EP3251043B1 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
EP3416083B1 (en) System and method of detecting anomalous events
EP3252647B1 (en) System and method of detecting malicious files on a virtual machine in a distributed network
CN109684072B (en) System and method for managing computing resources for detecting malicious files based on a machine learning model
US11019494B2 (en) System and method for determining dangerousness of devices for a banking service
US10372907B2 (en) System and method of detecting malicious computer systems
CN107070845B (en) System and method for detecting phishing scripts
EP3246842B1 (en) System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans
RU2750627C2 (en) Method for searching for samples of malicious messages
US9838420B2 (en) System and method for distributing most effective antivirus records to user devices
US9154519B1 (en) System and method for antivirus checking of objects from a plurality of virtual machines
RU2702081C2 (en) Web property modification detection system and method
EP3462354B1 (en) System and method for detection of anomalous events based on popularity of their convolutions
EP4060937A1 (en) Systems and methods for building a honeypot system

Legal Events

Date Code Title Description
AS Assignment

Owner name: AO KASPERSKY LAB, RUSSIAN FEDERATION

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VLAZNEV, DENIS O;VOITOV, NIKITA M;VASILYEV, MAXIM A;AND OTHERS;REEL/FRAME:041251/0290

Effective date: 20170208

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4